The Bad, The Worse, and The Ugly of Wireless Security

There is a steady growth of businesses adopting wireless technology to increase their workforce productivity but this productivity gain is not without a heavy surge in security risks. External and internal security threats have successfully targeted and compromised corporate wireless networks for years, which in turn, has driven the demand for heightening vigilance when both deploying Wi-Fi networks and specialized training for employees on how to use these networks. Corporate WLAN isn’t going away anytime soon so it’s important that we understand the top security risks that plague this technology and how professionals may bridge the gap in security maturity.

The Impact to the Security Boundary

Boundary security is only as strong as its weakest link. In the case of Wi-Fi, I find that physical security is an effective analogy for illustrating the impact Wi-Fi has on the security boundary. Effective physical security controls ensure that unauthorized individuals don’t just walk up and plug their computer into the company’s ethernet ports but wireless networks, however, introduce new opportunities for threat actors by removing the need for physical penetration. By simply getting physically close enough, a threat with a laptop and a wireless LAN card may be able to get an IP address on the network. Yagi, backfire, and other less expensive makeshift antenna’s capitalize on this vulnerability from several miles away which considerably reduces any direct risk to a threat.

This is the case is amplified when we consider Wi-Fi availability in the company parking lot(s). The best metaphor I have seen that captures the reality of wireless connectivity in the company parking lot comes from the National Institute of Standards and Technology (NIST), they stated,

“Perhaps the most significant source of risks in wireless networks is that the technology’s underlying communications medium, the airwave, is open to intruders, making it the logical equivalent of an Ethernet port in the parking lot.”

The physical deployment or signal strength should be limited so that wireless signals do not extend out into the parking lot and while that might make some of some smokers angry but the gains and benefits to security are much more substantial.

The last significant hit to the security boundary that I’ll talk about stems from the mobile technology explosion in recent years. The explosion in mobile technology has driven advancements into networking technology to support these devices, fingerprint them, and ensure identity management. The sheer volume of mobile devices found in companies today has created significant challenges for security teams and unanticipated risks from internal and external threat adversaries for wireless networks, creating a new dynamic that has expanded the network beyond traditional boundaries.

Wireless “Rogue” Access Points

Rogue devices are wireless devices, such as an access point, that should not be on your network. It’s that simple. IT and Security teams that identify equipment that they don’t recognize should be taking steps to investigate and block them from network access immediately. Policies, training, and practices should be enforced to prohibit employees from setting up their own “rogue” access points. Additionally, vulnerability scanners can be leveraged to check for activity on any wireless bands or channels you don’t usually use.

The Nefarious “Evil Twins”

I consider evil twins to be the most atrocious WLAN vulnerability that exists today. For those who aren’t familiar with this term, let’s talk about what “evil twins” are first. Evil twins can be summarized as a nasty variant on phishing attacks and a distant cousin to rogue access points. They can be used appropriately by ethical penetration testers but in the wrong hands, they are inherently malicious. The objective of an evil twin is to lure the unsuspecting individual into connecting to an access point that is masquerading as a legitimate source to then deceive the end-user into releasing sensitive information.

To illustrate the danger here let’s use Starbucks as an example. Let’s take an individual who frequents Starbucks often and uses their free wireless by connecting to their access point “Starbucks”. Unfortunately, about 99% of the population doesn’t change their laptops or mobile devices default configurations and these default configurations are set to remember the SSIDs you connect to and for the sake of user convenience will connect to these SSIDs automatically when you enter their proximity. This becomes a particularly dangerous situation when we bring evil twins into the picture.

An individual with malicious intent that happens to have a small and relatively inexpensive evil twin hacking tool, such as a Pineapple, could walk into a mall, activate this device, have it broadcast the same SSID as Starbucks, connect it to another Wi-Fi source, and then sit and wait. Any users that connect to the innocuously appearing Wi-Fi access point might face a direct phishing attack through a fraudulent website or worse, have all of their network traffic transparently monitored and captured. There are additional tools at a hacker’s disposal that act simply of fingerprinting devices.

Granted this example focused on some fairly mundane circumstances but I ask that you stretch your imagination and consider the same malicious tactics nearby your company parking lot. It gets a little real, right?

So what can be done about this? Well first and foremost, you need to educate and train your employees the threats and risks that exist in Wi-Fi. Secondly, IT and Security teams can implement the Extensible Authentication Protocol (EAP) under 802.1X. There are a number of EAP configurations that are secure against evil twin attack. For instance, IEEE endorses the EAP-SWAT configuration since its implementation is lightweight and integrates a one-way access point authentication inside EAP.

Treat all Wireless Connections as Insecure

All corporate WLAN should be encrypted with the latest and greatest encryption mechanisms available but that’s still not enough to secure a wireless network. Wireless networks should be treated the same as the public internet and segmented entirely from trusted internal networks. They should require end-users to authenticate (preferably with some kind of two-factor) through a VPN or a similar mechanism before allowing access to a trusted wired network segment. In addition, I encourage everyone I talk to run regular penetration tests against the wireless network for security holes and to add the WLAN devices into a regular schedule for vulnerability assessments.